How would this work? Do you know?
Discussion
It wouldn't work. You in theory ditch secp256k and start over with Crystals or similar (hello 2.5kb signatures). But on Nostr it makes no sense to hard fork and just change the key type, since there are other unresolved technical problems, you'd want to kill as many birds with one stone as you can.
It'd basically be an entirely new protocol. This one written off.
The problem is that it has to be done. I mean it would be quite a feat of engineering if within 3 years there was a quantum computer that can crack secp256k via shor's, in the 2k-6k logical qbit range. But the thing is it's entirely possible, given how AI is supercharging error correction and new advances in qbit types and noise reduction. So if being serious about security you have to assume it will happen in 5 years, and you definitely have to assume it will happen in 10.
Signal started their fix a couple years ago and are basically done, so things like White Noise can be reworked to remove nostr (as we know it now) as the transport layer. But for nostr itself there is zero scope for migration, it's the end of the line.
Why isn't it as simple as key rotation? We sunset our current keys and switch to quantum resistant keys?
And every event will now contain a sig that is 2.5kb longer than current signatures.
What's the difficult part about migration?
First, because it’s not a migration in the Bitcoin core sense, or the Signal sense, etc. In nostr the vulnerable key is the absolute end of the line, last station on the subway. Second because a hard fork requires consensus and there is no way to achieve consensus here on something like “just” swapping out the keys, that would require consensus on everything about the hard fork from everyone who is to be a lead participant in it, and in a highly organic and unstructured way, which is the only way nostr has. Which, if you think about it, means starting again from scratch.
I’m optimistic that it won’t be as difficult as you’re describing it. Another problem is also that we don’t have consensus in the cryptographic community on which quantum resistant algorithm is the best atm.
Well yeah, that's also an issue. It's also possible that shor's is realized sooner than we're predicting, and announced suddenly, so before Bitcoin can propagate whatever is selected in the end, and that is the end of Bitcoin more or less, not just nostr. (There is currently a race condition between bitcoin core and a quantum machine that can realise shor's.)
I'm optimistic that a Nostr 2.0 will come out and be much better than this one, but a complete from-scratch do-over.
I'm not optimistic that Nostr 1.0 can be "patched" by just swapping out keys. Every dev here has a sacred list of hard-fork-requiring things that, if there is going to be a hard fork for quantum or whatever else, then those things MUST also be in the hard fork. In other words the next fork might be the only hard fork to ever occurs and those hard-fork requiring things will just have to be in it, now or never.